The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 is a critical framework designed to bolster the cybersecurity posture of the Defense Industrial Base (DIB). As cyber threats grow increasingly sophisticated, the DoD has recognized the need for a standardized approach to protecting Controlled Unclassified Information (CUI). The CMMC program provides the department with assurance that contractors and subcontractors meet DoD cybersecurity requirements and adapt to the evolving threat landscape. It ensures security in the supply chain.
Also Read: CIO Influence Interview with Mark Whitehead, CEO and co-founder, NDay Security
Based on CMMC 1.0 and introduced in December 2023, CMMC 2.0 is the most recent iteration of the DoD’s standard. It establishes several new rules around certification levels, ownership of assessments for CMMC compliance, and renewal requirements. The program creates a unified standard for implementing a cybersecurity framework across the DIB, based on the National Institute of Standards and Technology standards in the NIST 800 series. It aims to achieve five primary goals: safeguarding sensitive information, enforcing cybersecurity standards, ensuring accountability, perpetuating a collaborative culture of cyber resilience, and maintaining public trust.
Compliance as a Business Imperative
For manufacturers supporting defense contracts, compliance with CMMC 2.0 is not just a regulatory requirement but a crucial component of operational security and competitive viability. Beginning October 1, 2026, compliance with CMMC will become mandatory for managed service providers (MSPs), managed security service providers (MSSPs), and others who do business with the DoD or its various supply chain partners. For organizations that fall into this category, understanding the complexities of CMMC compliance, the associated requirements, and the substantial implications involved is essential.
CMMC 2.0 is structured into three levels of cybersecurity maturity, each with specific practices and processes that organizations must implement and adhere to:
Level 1 (Foundational)
- Basic Cyber Hygiene: This level focuses on basic safeguarding measures and is required for companies handling Federal Contract Information (FCI). It includes 17 practices derived from FAR 52.204-21.
- Annual Self-Assessments: Companies at this level must conduct annual self-assessments and affirm compliance through an executive statement.
Level 2 (Advanced)
- Advanced Cyber Hygiene: Designed for companies that handle CUI, Level 2 includes 110 practices aligned with NIST SP 800-171.
- Triennial Assessments: Organizations must undergo third-party assessments every three years, ensuring a more rigorous evaluation of their cybersecurity practices.
Level 3 (Expert)
- Progressive Cybersecurity Practices: This highest level is aimed at the most sensitive defense information and critical operations. It includes over 110 practices and additional requirements from NIST SP 800-172.
- Government-led Assessments: At this level, assessments are conducted by the DoD, reflecting the stringent nature of the required security controls.
Shift from Self-Attestation to Stricter Verification
The DoD previously depended on a self-attestation process to substantiate compliance among suppliers, but CMMC 2.0 establishes stricter verification controls. Compliance for Level 2 contractors will be determined through audits conducted by accredited third-party assessment organizations (C3PAOs), following procedures and criteria still under development by the DoD. Level 3 requirements, including assessment specifics, are still being defined and will involve some level of government participation. Self-assessments remain an option for certain Level 1 and Level 2 requirements.
Level 2 and Level 3 suppliers must also undergo reassessments for each new contract or renewal, in addition to maintaining their compliance every three years through reassessments. Self-assessments remain an option for certain Level 1 and Level 2 requirements.
Also Read: Layer Raises $6Million to Make Incorruptible Foundations of the Internet
Financial Challenges and Solutions
The primary risk to the success of CMMC lies in the level of investment: it may be unaffordable for small to medium sized companies. This subset of businesses represents 67 percent of contracts awarded by the DoD, making it unrealistic to “price them out” of compliance. Allowing companies to meet most of the specific cybersecurity requirements through external service providers is likely the most effective solution. Under the CMMC 2.0 regulations, MSPs must be certified to the same CMMC 2.0 level as the contractor, even if they do not directly handle CUI.
MSPs should get to know the pertinent CMMC requirements, evaluate their current cybersecurity measures, implement necessary adjustments, and possibly undergo an assessment by a C3PAO based on their compliance level. Contractors depend significantly on their service providers achieving CMMC 2.0 certification promptly to secure contracts and maintain business operations.
CMMC compliance is a complex and challenging framework. It requires a thorough assessment of current security postures, identifying gaps, and establishing new procedures and controls where you fall short. CMMC 2.0 represents a significant shift in how manufacturers supporting defense contracts approach cybersecurity, ensuring that organizations of all sizes can protect sensitive information against evolving threats. By understanding and implementing the key components of CMMC and clearly defining the roles responsible for compliance, organizations can position themselves as trusted partners in the defense supply chain, ready to meet the challenges of an increasingly complex cyber threat landscape.
Tim Golden is the founder and CEO of Compliance Scorecard, a leading provider of compliance-as-a-service (CaaS) solutions for managed service providers (MSPs). For over two decades, Tim has empowered MSPs to turn compliance into a strategic advantage through a blend of human expertise, process optimization, policy management, and cutting-edge technology. He brings a knack for leading high-performing teams from his time in the U.S. Army and a passion for demystifying complex regulatory environments to help organizations thrive.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
